PAN-OS 11.1.6 Known Issues
Focus
Focus

PAN-OS 11.1.6 Known Issues

Table of Contents

PAN-OS 11.1.6 Known Issues

PAN-OSĀ® 11.1.6 known issues.
The following list includes only outstanding known issues specific to PAN-OSĀ® 11.1.6. This list includes issues specific to Panoramaā„¢, GlobalProtectā„¢, VM-Series plugins, and WildFireĀ®, as well as known issues that apply more generally or that are not identified by an issue ID.
Issue ID
Description
PAN-293673When the firewall generates a high volume of logs and attempts to export these logs to an FTP server, it may consume excessive memory leading to all PAN-OS processes crashing.
PAN-292202
The system logs repeatedly displayed the alert `Clearing snmpd.log due to log overflow` due to the SNMP counters rolling over. This is a benign message and does not impact device functionality.
PAN-290996
When performing an SNMP walk, the Connections Per Second (CPS) counters incorrectly return a value of 0 for each virtual system (VSYS), despite the firewall actively processing connections.
PAN-290088
When pushing configurations from Panorama to a firewall, a memory leak might occur in the firewall's configd process, particularly when the configurations contain shared policies. Each configuration push causes the configd process to consume additional memory that is not released after the commit completes.
PAN-289383
(PA-800 series firewalls only) Upgrading firewalls to PAN-OS 11.0 or later causes SFP ports to go non-operational when the firewall uses forced port mode and the connected peer device operates without auto-negotiation.
Workaround: Enable auto-negotiation on the connected peer firewall.
PAN-287056
This issue is now resolved. See PAN-OS 11.1.6-h14 Addressed Issues
A BGP export policy rule that matches on a next hop fails to block the advertisement of static routes, and the firewall incorrectly matches the egress interface IP address instead of the original next-hop IP address of the static route, which causes the deny rule to fail.
PAN-286897
The pan_task process might fail when the firewall attempts to forward files to the WildFire public cloud, which can cause the dataplane to experience heartbeat failures.
Workaround: Disable the firewall WildFire Analysis profile.
PAN-286848
ECMP incorrectly balances sessions across links based on the configured metric, which leads to an imbalance in traffic distribution and results in traffic assignment shifting disproportionately to routes with lower metrics.
PAN-286496
(NGFW Clusters) URL-continue and override continue selections will function like a general URL-block action.
PAN-286306
This issue is now resolved. See PAN-OS 11.1.6-h14 Addressed Issues
When getting transceiver information from ESCC for SFP 25G modules, the transceiver code incorrectly displays Unknown instead of 25GBase-SR.
PAN-286255
This issue affects PAN-OS 11.1.6-h4
This issue is now resolved. See PAN-OS 11.1.6-h7 Addressed Issues.
When a firewall receives an unexpected termination request for certain SSL sessions , NGFW dataplane might experience a slow buffer resource leak.
Workaround: Disable accumulation proxy on the NGFW.
PAN-286231
When performing a partial Commit and Push on Panorama, there is a risk that unintended configuration changes might be pushed to a firewall.
This issue is more likely to occur in the following scenarios:
  • When you run Commit and Push operations as a single action.
  • When you trigger multiple parallel commit-all jobs at the same time.
  • Device groups and templates have different configuration synchronization versions.
Workaround: Perform one of the following steps:
  • Perform commit and push as two separate, sequential steps.
  • Perform a full push instead of selective push.
PAN-285894
If the Preserve Pre-NAT feature is enabled, dataplane crashes may occur, which could result in firewall reboots.
Workaround: Disable the Preserve Pre-NAT feature using the set deviceconfig setting preserve-prenat-feature no CLI command.
PAN-285590
VM-Series firewalls deployed behind an AWS GWLB might experience 100% dataplane CPU utilization when an Anti-Spyware profile is applied to traffic.
PAN-283467
This issue is now resolved. See PAN-OS 11.1.6-h10 Addressed Issues.
(PA-3400 Series firewalls only) The firewall might unexpectedly reboot and enter maintenance mode due to a ctd-agent out-of-memory (OOM) condition when undergoing advanced services load testing with a high volume of IoT EAL log forwarding.
Workaround: Limit the number of EAL logs generated by the firewall using the following CLI command: debug iot eal key-value EAL_PENDING_BYTES=1000.
PAN-282854
The Elasticsearch cluster fails to start after deploying dedicated log collectors in a multi-collector environment.
Workaround: Restart all the involved log collectors.
PAN-282236
(PAN-OS 11.1.6-h3 only)
This issue is now resolved. See PAN-OS 11.1.6-h4 Addressed Issues.
The firewall doesn't reassemble IPv6 packets correctly after they are fragmented. IPv6 SSL sessions may not be established if the client hello arrives in multiple segments.
PAN-281885
When exporting and importing the CSV file, the hash values of pre-shared key (PSK) variables set at template and template stack levels inconsistently change, resulting in both variables displaying the same hash value.
PAN-280532
This issue is now resolved. See PAN-OS 11.1.10 Addressed Issues.
When you use a single syslog server over TCP for log forwarding, and the connectivity to the syslog server breaks, syslog forwarding does not resume even after the connectivity to the server restores.
Workaround: Performing one of the following tasks:
  • Reboot the firewall.
  • Temporarily, configure syslog to use UDP, commit the configuration, revert to TCP, and then commit.
PAN-280471
When applying filters or searching for logs in the PanoramaMonitorLogssection, you might experience slow performance.
PAN-279901
When decryption is enabled, segmented Client Hello packets can cause website access issues and memory leaks under the following conditions:
  • The segmented Client Hello packets arrive out-of-order
  • The segmented Client Hello packets arrive out-of-order and can be reassembled into a complete Client Hello when the first contiguous segment is formed by NGFW
  • The first segment of the Client Hello packets is less than 5 bytes
  • A decryption policy rule excludes this traffic from decryption and a Security policy rule (URL filtering) denies this session
PAN-279746
(PAN-OS 11.1.6-h3 only)
This issue is now resolved. See PAN-OS 11.1.6-h4 Addressed Issues.
An SSL/TLS Client Hello may not be transmitted out of the firewall if the Client Hello arrives in multiple TCP segments and the traffic is not subject to SSL decryption (for example, SMTP over SSL).
PAN-279621
This issue is now resolved. See PAN-OS 11.1.9 Addressed Issues.
Early aging and removal of firewall session while they are still active can lead to intermittent instabilities and crashes for proxy traffic, the Content and Threat detection engine, and any data-path processing.
PAN-279604
(PAN-OS 11.1.6-h1 only)
The scheduled SaaS application usage reports are incorrectly generated and only the login page appears instead of the intended report content.
PAN-279415
Service routes configured for a data plane interface might incorrectly route traffic through the management plane interface instead. This issue impacts Syslog and CRL status traffic when the service route lacks a specific destination custom service route.
PAN-278322
VM-Series firewalls deployed behind an AWS GWLB might display an incorrect or empty Source User field in traffic logs and session details.
PAN-278296
(This issue affects PAN-OS 11.1.6-h6.)
This issue is now resolved. See PAN-OS 11.1.6-h6 Addressed Issues.
The system MAC address of the aggregate interface is the same on both the active and the passive devices, causing some packets to be sent incorrectly to the passive device. This is causing the AE interface on the active firewall to not come up.
PAN-277417
Thibx
Memory leak issues can occur during the parsing of server certificates used for SSL Inbound Inspection, preventing the firewall from completing inspection.
PAN-277090
When you enable Advanced Routing and configure a BGP Authentication profile, if you configure a Secret that includes any special characters apart from these seven special characters !@#%^_-, an error message displays, indicating that The value in this field is invalid.
Workaround: Don't include any special character apart from the !@#%^_- characters in the Secret for a BGP Authentication profile.
PAN-276920
URL filtering response pages may load slowly or fail to display when users request websites that are blocked in the URL Filtering profile (site access for the corresponding URL category is block, continue, or override) attached to the matching Security policy rule. This occurs on an intermittent basis.
PAN-275905
(PAN-OS 11.1.6-h3 only)
A high volume of incoming logs to a Collector Group can significantly increase CPU usage on the Elasticsearch and Management Server, potentially causing process instability or crashes.
PAN-275601
This issue is now resolved. See PAN-OS 11.1.10 Addressed Issues
When Panorama is not internet-connected and you try to upload images to the managed firewalls by using the Validate option, the upload fails with the following error: Failed to create multi-upload job. No valid software deploy targets found.
PAN-275047
(VM-Series firewalls only) After an upgrade, the firewall is unable to send logs to the Strata Logging Service (SLS) when using a specific proxy server, and the SSL connection status displays as failed when attempting to forward logs through the web proxy.
PAN-274146
VM-Series firewalls deployed behind an AWS GWLB might crash and reboot unexpectedly if tunnel sessions are moving through the firewall.
PAN-272085
(This issue affects PAN-OS 11.1.6-h3.)
When DoH is enabled for DNS Security, multiple DoH transactions in a single HTTP/1 connection might unexpectedly cause the firewall to crash and reboot.
Workaround: Manually disable DoH support for DNS Security using the set deviceconfig setting dns-over-https enable no CLI command. Alternatively, you can remove the DNS Security configuration used to handle DoH traffic.
PAN-269193
This issue is now resolved. See PAN-OS 11.1.8 Addressed Issues.
When multiple application are configured for GlobalProtect Clientless VPN, users are directed to the first application instead of portal page with a list of application.
PAN-268705
This issue is now resolved. See PAN-OS 11.1.6-h10 Addressed Issues.
The firewall intermittently fails to process FTP traffic.
Workaround: Configure an application override policy rule for FTP applications.
PAN-262556
The ElasticSearch cluster health status might continue to remain yellow for an extended period after upgrading to PAN-OS 11.1
PAN-261429
The command show auth radius-require-msg-authentic might return no output.
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application (ObjectsApplications) tag.
PAN-254240
In the event of an HSCI flap on an NGFW cluster node, traffic reconvergence takes three to four seconds.
PAN-253963
The auto commit job may take longer than expected to complete when the Panorama management server is in Panorama or Log Collector mode.
PAN-252358
(PA-7500 Series firewalls only) In the event of a corosync restart, an NGFW cluster node goes to failed state.
PAN-251551
(PA-7500 Series firewalls only) When an NGFW cluster agent crashes and doesn't recover, leader election will take approximately 45 seconds to begin and traffic failover will occur during that time.
PAN-250903
(PA-7500 Series firewalls only) In a congestion scenario on an HSCI port of an NGFW cluster node, the QoS priorities of cross node traffic streams might be reversed if you're using the default QoS profile with class1 to class8 set as high to low.
PAN-247974
(PA-7500 Series firewalls only) LACP flap is expected during a device failover in an NGFW cluster due to an L2 ctrld restart on the new leader node.
PAN-240529
This issue is now resolved. See PAN-OS 11.1.7 Addressed Issues
(PA-7500 Series firewalls only) Cloud application information is missing from traffic logs on NGFW cluster nodes.
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
PAN-224502
The autocommit time of the VM-Series firewall running PAN-OS 11.1.0 might take longer than expected.
PAN-220180
Configured botnet reports (MonitorBotnet) are not generated.
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
PAN-207442
For M-700 appliances in an active/passive high availability (PanoramaHigh Availability) configuration, the active-primary HA peer configuration sync to the secondary-passive HA peer may fail. When the config sync fails, the job Results is Successful (Tasks), however the sync status on the Dashboard displays as Out of Sync for both HA peers.
Workaround: Perform a local commit on the active-primary HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the active-primary HA peer.
  2. Select Commit and Commit to Panorama.
  3. In the active-primary HA peer Dashboard, click Sync to Peer in the High Availability widget.
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
PAN-206913
When a DHCPv6 client is configured on HA Active/Passive firewalls, releasing the IPv6 address from the client (using Release in the UI or using the request dhcp client ipv6 release all CLI command) releases the IPv6 address from the Active firewall, but not the Passive firewall.
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the configd process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection Status (PanoramaManaged Collector) displaying connected and the managed colletor Health status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr process on the Dedicated Log Collector.
  1. Confirm the Dedicated Log Collector is disconnected from Panorama.
    admin> show panorama-status
    Verify the Connected status is no.
  2. Restart the mgmtsrvr process.
    admin> debug software restart process management-server
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
PAN-197419
(PA-1400 Series firewalls only) In NetworkInterfaceEthernet, the power over Ethernet (PoE) ports do not display a Tag value.
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes (CommitPush to DevicesEdit Selections or CommitCommit and PushEdit Selections).
PAN-195968
(PA-1400 Series firewalls only) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
PAN-194978
(PA-1400 Series firewalls only) In NetworkInterfaceEthernet, hovering the mouse over a power over Ethernet (PoE) Link State icon does not display link speed and link duplex details.
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status (PanoramaManaged DevicesSummary) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select CommitPush to Devices.
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround: Use CommitPush to Devices to synchronize the templates.
PAN-184708
Scheduled report emails (MonitorPDF ReportsEmail Scheduler) are not emailed if:
  • A scheduled report email contains a Report Group (MonitorPDF ReportsReport Group) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround: To receive a scheduled report email for all other PDF report types:
  1. Select MonitorPDF ReportsReport Groups and remove all SaaS Application Usage reports from all Report Groups.
  2. Select MonitorPDF ReportsEmail Scheduler and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select Disable and click OK.
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit.
    (Panorama managed firewalls) Select CommitCommit and Push
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
PAN-164885
On the Panorama management server, pushes to managed firewalls (CommitPush to Devices or Commit and Push) may fail when an EDL (ObjectsExternal Dynamic Lists) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.